Embodiments of the invention relate to on-line account access. Users often have multiple online accounts that are used for various purposes. Each account may separately require different user credentials (e.g., usernames and various forms of passwords) in order to properly authenticate the user and to authorize the user to access various products or services offered by respective institutions of these accounts. For example, a user may have a banking account with a financial institution, a brokerage account with an investment banking institution, or any other online accounts for other purposes. It is often tedious to manage multiple online accounts with different usernames or passwords.
One known approach is to use a single-sign-on (SSO) approach which provides access control of multiple related, but perhaps independent systems by internally translating and storing different credentials for these multiple independent systems. SSO ensures that users do not actively have to enter their credential more than once by using centralized authentication server(s) that all these multiple related systems utilize for authentication purposes. In other words, with the SSO approach, the system enables a user to enter one username and one password to log on to a network once and thereby gain access to different systems or Web sites. A SSO approach may use, for example, a ticket-granting ticket (TGT) where the initial sign-on prompts the user for credentials and gets a TGT, and additional applications requiring authentication is provided with the user's identify and use the TGT to acquire service tickets without prompting the user to re-enter credentials. Another SSO approach uses the smart card based approach where the initial sign-on asks a user for a smart card identification (e.g., certificates or passwords stored on the smart card), and additional applications also use the smart card identification without asking the user to re-enter credentials. Another SSO approach with multi-factor authentication with security tokens (e.g., OTP tokens) uses the tokens to store software that allows for seamless authentication and password filling.
Although the SSO approaches do not require the user to enter credentials more than once, they involve server to server special communications and passing user credentials between the user's browser and multiple systems and thus pose greater risks of compromising the user's credentials by for example, replay attacks or eavesdropping. Some approaches use OAuth that allows users to handout tokens instead of credentials to their data where each token grants access to a specific site for specific resources for a defined duration. Some approaches use OpenID that describes how users may be authenticated in a decentralized manner. The OpenID architecture obviates the need for external systems to provide own ad hoc authentication systems and allows users to consolidate digital identities. Nonetheless, the SSO architecture, OAuth architecture, and the OpenID architecture involve custom development on the external systems hosting the remote resources.
Some known approaches use the thick client concept to simplify user's login to multiple independent systems to provide a user with a one-click access to these multiple independent systems. However, the thick client architecture or network typically provides rich functionality or even full functionality (e.g., the login functionality) independent of the central server. The thick-client architecture allows the client to be fully functional even in the absence of a network connection and thus presents a greater risk of compromising user's credentials because the thick client uses the independent login functionality at the thick client to automatically log the user onto different independent system.